This Policy Document encompasses all aspects of security surrounding confidential company information and must be distributed to all company employees. All company employees must read this document in its entirety and sign the form confirming they have read and understand this policy fully. This document will be reviewed and updated by Management on an annual basis or when relevant to include newly developed security standards into the policy and distribute it all employees and contracts as applicable.

This policy applies to CARSPUNK/UNIQUE SCENTS/JAMMY FINGERS/LEYLAND CAR CARE/NW VALETING SERVICES LTD where a Data Subject’s Personal Data is processed: In the context of the business activities of the Companies. For the provision or offer of goods or services to individuals (including those provided or offered free-of-charge) by the Companies. To actively monitor the behaviour of individuals. Monitoring the behaviour of individuals includes using data prosessing techniques such as persistent web browser cookies or dynamic IP address tracking to profile an individual with a view to:

Taking a decision about them.

Analysing or predicting their personal preferences , behaviours and attitudes.

This policy applies to all Processing of Personal Data in electronic form (including electronic mail and documents created with word processing software) or where it is held in manual files that are structured in a way that allows ready access to information about individuals.

This policy has been designed to establish a worldwide baseline standard for the Processing and protection of Personal Data by the Companies. Where national law imposes a requirement which is stricter than imposed by this policy, the requirements in national law must be followed.

Furthermore, where national law imposes a requirement that is not addressed in this policy, the relevant national law must be adhered to. If there are conflicting requirements in this policy and national law, please consult with Office of Data Protection for guidance.

2. Commitment

CARSPUNK/UNIQUE SCENTS/JAMMY FINGERS/LEYLAND CAR CARE/NW VALETING SERVICES LTD commits to respecting the privacy of all its customers and to protecting any data about customers from outside parties. To this end management are committed to maintaining a secure environment in which to process cardholder information so that we can meet these promises.

The Information Technology (IT) company, as part of its IT system and application design review process, will cooperate with the Data Protection Officer to assess the impact of any new technology uses on the security of Personal Data.

Data held by the company will not be shared informally. When access to confidential information is required, employees can request this from their line managers.

The Companies will provide training to all employees to help them understand their responsibilities when handling data.

The level of understanding of Data Protection policies and Privacy Notices.

The currency of Data Protection policies and Privacy Notices.

The accuracy of Personal Data being stored.

The conformity of Data Processor activities.

4

The adequacy of procedures for redressing poor compliance and Personal Data Breaches.

3. Data Protection Principles

The Companies have adopted the following principles to govern its collection, use, retention, transfer, disclosure and destruction of Personal Data:

Principle 1: Lawfulness, Fairness and Transparency Personal Data shall be processed lawfully, fairly and in a transparent manner in relation to the Data Subject. This means, the Companies must tell the Data Subject what Processing will occur (transparency), the Processing must match the description given to the Data Subject (fairness), and it must be for one of the purposes specified in the applicable Data Protection regulation (lawfulness).

Principle 2: Purpose Limitation Personal Data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. This means the Companies must specify exactly what the Personal Data collected will be used for and limit the Processing of that Personal Data to only what is necessary to meet the specified purpose.

Principle 3: Data Minimisation Personal Data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are Processed. This means the Companies must not store any Personal Data beyond what is strictly required.

Principle 4: Accuracy Personal Data shall be accurate and, kept up to date. This means the Companies must have in place processes for identifying and addressing out-of-date, incorrect and redundant Personal Data.

Principle 5: Storage Limitation Personal Data shall be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data is Processed. This means the Companies must, wherever possible, store Personal Data in a way that limits or prevents identification of the Data Subject.

Principle 6: Integrity & Confidentiality Personal Data shall be Processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful Processing, and against accidental loss, destruction or damage. The Companies must use appropriate technical and organisational measures to ensure the integrity and confidentiality of Personal Data is maintained at all times.

4. Data Protection Officer –

The role of the Data Protection Officers (DPOs) whose duties include:

Informing and advising the Company and its Employees who carry out Processing pursuant to Data Protection regulations, national law or Union based Data Protection provisions;

Ensuring the alignment of this policy with Data Protection regulations, national law or Union based Data Protection provisions;

Acting as a point of contact for and cooperating with Data Protection Authorities (DPAs);

Determining the need for notifications to one or more DPAs as a result of the Companys’ current or intended Personal Data processing activities;

Making and keeping current notifications to one or more DPAs as a result of the Companys’ current or intended Personal Data processing activities;

The establishment and operation of a system providing prompt and appropriate responses to Data Subject requests;

The Data Protection Officer will devise a plan with a schedule for correcting any identified deficiencies within a defined and reasonable time frame.

5

5. Data Collection

a. Data Sources

Personal Data should be collected only from the Data Subject unless one of the following apply:

The nature of the business purpose necessitates collection of the Personal Data from other persons or bodies.

The collection must be carried out under emergency circumstances in order to protect the vital interests of the Data Subject or to prevent serious loss or injury to another person.

If Personal Data is collected from someone other than the Data Subject, the Data Subject must be informed of the collection unless one of the following apply:

The Data Subject has received the required information by other means.

The information must remain confidential due to a professional secrecy obligation

A national law expressly provides for the collection, Processing or transfer of the Personal Data.

Where it has been determined that notification to a Data Subject is required, notification should occur promptly, but in no case later than:

One calendar month from the first collection or recording of the Personal Data

At the time of first communication if used for communication with the Data Subject

At the time of disclosure if disclosed to another recipient a. Data Subject Consent

The Companies will obtain Personal Data only by lawful and fair means and, where appropriate with the knowledge and Consent of the individual concerned.

Where a need exists to request and receive the Consent of an individual prior to the collection, use or disclosure of their Personal Data, the Company is committed to seeking such Consent. The Data Protection Officer and other relevant business representatives, shall establish a system for obtaining and documenting Data Subject Consent for the collection, Processing, and/or transfer of their Personal Data.

The system must include provisions for:

Determining what disclosures should be made in order to obtain valid Consent.

Ensuring the request for consent is presented in a manner which is clearly distinguishable from any other matters, is made in an intelligible and easily accessible form, and uses clear and plain language.

Ensuring the Consent is freely given (i.e. is not based on a contract that is conditional to the Processing of Personal Data that is unnecessary for the performance of that contract).

Documenting the date, method and content of the disclosures made, as well as the validity, scope, and volition of the Consents given.

Providing a simple method for a Data Subject to withdraw their Consent at any time.

6

b. Data Subject Notification

The Companies will, when required by applicable law, contract, or where it considers that it is reasonably appropriate to do so, provide Data Subjects with information as to the purpose of the Processing of their Personal Data. When the Data Subject is asked to give Consent to the Processing of Personal Data and when any Personal Data is collected from the Data Subject, all appropriate disclosures will be made, in a manner that draws attention to them, unless one of the following apply:

The Data Subject already has the information

A legal exemption applies to the requirements for disclosure and/or Consent. The disclosures may be given orally, electronically or in writing. If given orally, the person making the disclosures should use a suitable script or form approved in advance by the Office of Data Protection. The associated receipt or form should be retained, along with a record of the facts, date, content, and method of disclosure.

6. Data Use

The Company uses the Personal Data of its Contacts for the following broad purposes:

The general running and business administration of the Companies

To provide services to their customers.

the ongoing administration and management of customer services.

The use of a Contact’s information should always be considered from their perspective and whether the use will be within their expectations or if they are likely to object.

The Companies will not Process Personal Data unless at least one of the following requirements are met:

The Data Subject has given Consent to the Processing of their Personal Data for one or more specific purposes.

Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract.

Processing is necessary for compliance with a legal obligation to which the Data Controller is subject

Processing is necessary in order to protect the vital interests of the Data Subject or of another natural person.

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller.

Processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a Third Party (except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject, in particular where the Data Subject is a child).

There are some circumstances in which Personal Data may be further processed for purposes that go beyond the original purpose for which the Personal Data was collected. When making a determination as to the compatibility of the new reason for Processing, guidance and approval must be obtained from the Data Protection Officer before any such Processing may commence.

The only people with access to data covered by this policy will be those who require access for their work.

7

7. Data Processing

Data Processing In any circumstance where Consent has not been gained for the specific Processing in question, the Company will address the following additional conditions to determine the fairness and transparency of any Processing beyond the original purpose for which the Personal Data was collected:

Any link between the purpose for which the Personal Data was collected and the reasons for intended further Processing.

The context in which the Personal Data has been collected, in particular regarding the relationship between Data Subject and the Data Controller.

The nature of the Personal Data, in particular whether Special Categories of Data are being Processed, or whether Personal Data related to criminal convictions and offences are being Processed.

The possible consequences of the intended further Processing for the Data Subject.

The existence of appropriate safeguards pertaining to further Processing, which may include Encryption, Anonymisation or Pseudonymisation.

8. Special Categories of Data

The Companies will only Process Special Categories of Data (also known as sensitive data) where the Data Subject expressly consents to such Processing or where one of the following conditions apply:

The Processing relates to Personal Data which has already been made public by the Data Subject.

The Processing is necessary for the establishment, exercise or defence of legal claims.

The Processing is specifically authorised or required by law.

The Processing is necessary to protect the vital interests of the Data Subject or of another natural person where the Data Subject is physically or legally incapable of giving consent.

Further conditions, including limitations, based upon national law related to the Processing of genetic data, biometric data or data concerning health.

In any situation where Special Categories of Data are to be Processed, prior approval must be obtained from the Data Protection Officer and the basis for the Processing clearly recorded with the Personal Data in question.

9. Digital Marketing

As a general rule the Companies will not send promotional or direct marketing material to a Company Contact through digital channels such as mobile phones, email and the Internet, without first obtaining their Consent. The Data Subject must be informed at the point of first contact that they have the right to object, at any stage, to having their data Processed for such purposes. If the Data Subject puts forward an objection, digital marketing related Processing of their Personal Data must cease immediately and their details should be kept on a suppression list with a record of their opt-out decision, rather than being completely deleted.

It should be noted that where digital marketing is carried out in a ‘business to business’ context, there is no legal requirement to obtain an indication of Consent to carry out digital marketing to individuals provided that they are given the opportunity to opt-out.

10. Data Retention

To ensure fair Processing, Personal Data will not be retained by the Company for longer than necessary in relation to the purposes for which it was originally collected, or for which it was further Processed..

All Personal Data should be deleted or destroyed as soon as possible where it has been confirmed that there is no longer a need to retain it.

8

11. Data Protection

The Companies will adopt physical, technical, and organisational measures to ensure the security of Personal Data. This includes the prevention of loss or damage, unauthorised alteration, access or Processing, and other risks to which it may be exposed by virtue of human action or the physical or natural environment.

12. Data Subject Requests

Data Subject Requests It should be noted that situations may arise where providing the information requested by a Data Subject would disclose Personal Data about another individual. In such cases, information must be redacted or withheld as may be necessary or appropriate to protect that person’s rights.

An individual who are the subject of personal data held are entitled to

Ask what information the company holds about them and why.

Ask how to gain access to it.

Be informed how to keep in up to date.

Be informed how the company is meeting its data protection obligations.

The requests should be made by email, addressed to the data controller at mark@carspunk.com

13. Transfer to Third Parties

The Companies will only transfer Personal Data to, or allow access by, Third Parties when it is assured that the information will be Processed legitimately and protected appropriately by the recipient.

Where Third Party Processing takes place, The Companies will first identify if, under applicable law, the Third Party is considered a Data Controller or a Data Processor of the Personal Data being transferred.

Where the Third Party is deemed to be a Data Controller, the Company will enter int , an appropriate agreement with the Controller to clarify each party’s responsibilities in respect to the Personal Data transferred.

Where the Third Party is deemed to be a Data Processor, the Company will enter into, in cooperation with the Office of Data Protection, an adequate Processing agreement with the Data Processor. The agreement must require the Data Processor to protect the Personal Data from further disclosure and to only Process Personal Data in compliance with Company instructions.

In addition, the agreement will require the Data Processor to implement appropriate technical and organisational measures to protect the Personal Data as well as procedures for providing notification of Personal Data Breaches.

When the Companies are outsourcing services to a Third Party (including Cloud Computing services), they will identify whether the Third Party will Process Personal Data on its behalf and whether the outsourcing will entail any Third Country transfers of Personal Data. In either case, it will make sure to include adequate provisions in the outsourcing agreement for such Processing and Third Country transfers.

9

14. Cardholder Information Security Policy

CARSPUNK/UNIQUE SCENTS/JAMMY FINGERS/LEYLAND CAR CARE/NW VALETING SERVICES LTD handles sensitive cardholder information daily. Sensitive Information must have adequate safeguards in place to protect them, to protect cardholder privacy, to ensure compliance with various regulations and to guard the future of the organisation.

Employees handling Sensitive cardholder data should ensure:

l

l

l

l

l

l

l

l

l

l

l

Handle Company and cardholder information in a manner that fits with their sensitivity;

We reserve the right to monitor, access, review, audit, copy, store, or delete any electronic communications, equipment, systems and network traffic for any purpose;

Do not use e-mail, internet and other Company resources to engage in any action that is offensive, threatening, discriminatory, defamatory, slanderous, pornographic, obscene, harassing or illegal;

Do not disclose personnel information unless authorised;

Protect sensitive cardholder information;

Keep passwords and accounts secure;

Request approval from management prior to establishing any new software or hardware, third party connections, etc.;

Do not install unauthorised software or hardware, including modems and wireless access unless you have explicit management approval;

Always leave desks clear of sensitive cardholder data and lock computer screens when unattended; Information security incidents must be reported, without delay, to the individual responsible for incident response locally – Please find out who this is.

We each have a responsibility for ensuring our company’s systems and data are protected from unauthorised access and improper use. If you are unclear about any of the policies detailed herein you should seek advice and guidance from your line manager.

10

15. Acceptable Use Policy

The Management’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to CARSPUNK/UNIQUE SCENTS/JAMMY FINGERS/LEYLAND CAR CARE/NW VALETING SERVICES LTD established culture of openness, trust and integrity. Management is committed to protecting the employees, partners and ourselves from illegal or damaging actions by individuals, either knowingly or unknowingly. We will maintain an approved list of technologies and devices and personnel with access to such devices as detailed in Appendix B.

Employees are responsible for exercising good judgment regarding the reasonableness of personal use.

Employees should ensure that they have appropriate credentials and are authenticated for the use of technologies

Employees should take all necessary steps to prevent unauthorized access to confidential data which includes card holder data.

Employees should ensure that technologies should be used and setup in acceptable network locations

Keep passwords secure and do not share accounts.

Authorized users are responsible for the security of their passwords and accounts.

All PCs, laptops and workstations should be secured with a password-protected screensaver with the automatic activation feature.

All POS and PIN entry devices should be appropriately protected and secured so they cannot be tampered or altered.

Because information contained on portable computers is especially vulnerable, special care should be exercised.

Postings by employees from a Company email address to newsgroups should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of CARSPUNK/UNIQUE SCENTS/JAMMY FINGERS/LEYLAND CAR CARE/NW VALETING SERVICES LTD, unless posting is in the course of business duties.

Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain viruses, e-mail bombs, or Trojan horse code.

16. Disciplinary Action

Violation of the standards, policies and procedures presented in this document by an employee will result in disciplinary action, from warnings or reprimands up to and including termination of employment. Claims of ignorance, good intentions or using poor judgment will not be used as excuses for non compliance.

17. Protect Stored Data

All sensitive cardholder data stored and handled by CARSPUNK/UNIQUE SCENTS/JAMMY FINGERS/LEYLAND CAR CARE/NW VALETING SERVICES LTD and its employees must be destroyed immediately after completion of processing in a secure and irrecoverable manner.

If there is no specific need to see the full PAN (Permanent Account Number), it has to be masked when displayed.

PAN'S which are not protected as stated above should not be sent to the outside network via end user messaging technologies like chats, ICQ messenger etc.,

It is strictly prohibited to store:

The contents of the payment card magnetic stripe (track data) on any media whatsoever.

The CVV/CVC (the 3 or 4 digit number on the signature panel on the reverse of the payment card) on any media whatsoever.

The PIN or the encrypted PIN Block under any circumstance.

11

18. Information Classification

Data and media containing data must always be labelled to indicate sensitivity level

Confidential data might include information assets for which there are legal requirements for preventing disclosure or financial penalties for disclosure, or data that would cause severe damage to CARSPUNK/UNIQUE SCENTS/JAMMY FINGERS/LEYLAND CAR CARE/NW VALETING SERVICES LTD if disclosed or modified. Confidential data includes cardholder data.

Internal Use data might include information that the data owner feels should be protected to prevent unauthorized disclosure;

Public data is information that may be freely disseminated.

19. Access to the sensitive cardholder data

All Access to sensitive cardholder should be controlled and authorised. Any Job functions that require access to cardholder data should be clearly defined.

Privileges should be assigned to individuals based on job classification and function (Role based access control)

Access to sensitive cardholder information such as PAN’s, personal information and business data is restricted to employees that have a legitimate need to view such information.

No other employees should have access to this confidential data unless they have a genuine business need.

If cardholder data is shared with a Service Provider (3rd party) then a list of such Service Providers will be maintained as detailed in Appendix B.

We will ensure a written agreement that includes an acknowledgement is in place that the Service Provider will be responsible for the for the cardholder data that the Service Provider possess.

We will ensure that a there is an established process including proper due diligence is in place before engaging with a Service provider.

We will have a process in place to monitor the PCI DSS compliance status of the Service provider.

20. Physical Security

Access to sensitive information in both hard and soft media format must be physically restricted to prevent unauthorised individuals from obtaining sensitive data.

Employees are responsible for exercising good judgment regarding the reasonableness of personal use.

Employees should ensure that they have appropriate credentials and are authenticated for the use of technologies

Employees should take all necessary steps to prevent unauthorized access to confidential data which includes card holder data.

Employees should ensure that technologies should be used and setup in acceptable network locations

A list of devices that accept payment card data should be maintained.

The list should include make, model and location of the device

The list should have the serial number or a unique identifier of the device

The list should be updated when devices are added, removed or relocated

POS devices surfaces should be periodically inspected to detect tampering or substitution.

Personnel using the devices should be trained and aware of handling the POS devices

Personnel using the devices should verify the identity of any third party personnel claiming to repair or run maintenance tasks on the devices, install new devices or replace devices.

Personnel using the devices should be trained to report suspicious behaviour and indications of tampering of the devices to the appropriate personnel.

​

A “visitor” is defined as a vendor, guest of an employee, service personnel, or anyone who needs to enter the premises for a short duration, usually not more than one day.

Keep passwords secure and do not share accounts. Authorized users are responsible for the security of their passwords and accounts.

Media containing sensitive cardholder information must be handled and distributed in a secure manner by trusted individuals.

Visitors must always be escorted by a trusted employee when in areas that hold sensitive cardholder information.

Network Jacks located in public and areas accessible to visitors must be disabled and enabled when network access is explicitly authorised.

All POS and PIN entry devices should be appropriately protected and secured so they cannot be tampered or altered.

Strict control is maintained over the external or internal distribution of any media containing card holder data and has to be approved by management

Strict control is maintained over the storage and accessibility of media

All computer that store sensitive cardholder data must have a password protected screensaver enabled to prevent unauthorised use.

21. Protect Data in Transit

All sensitive cardholder data must be protected securely if it is to be transported physically or electronically.

Card holder data (PAN, track data etc) must never be sent over the internet via email, instant chat or any other end user technologies.

If there is a business justification to send cardholder data via email or via the internet or any other modes then it should be done after authorization and by using a strong encryption mechanism (i.e. – AES encryption, PGP encryption, IPSEC, GSM, GPRS, Wireless technologies etc.,).

The transportation of media containing sensitive cardholder data to another location must be authorised by management, logged and inventoried before leaving the premises. Only secure courier services may be used for the transportation of such media. The status of the shipment should be monitored until it has been delivered to its new location.

22. Security Awareness and Procedures

The policies and procedures outlined below must be incorporated into company practice to maintain a high level of security awareness. The protection of sensitive data demands regular training of all employees and contractors.

Review handling procedures for sensitive information and hold periodic security awareness meetings to incorporate these procedures into day to day company practice.

Distribute this security policy document to all company employees to read. It is required that all employees confirm that they understand the content of this security policy document by signing an acknowledgement form (see Appendix A)

Company security policies must be reviewed annually and updated as needed.

23. Network security

This is managed by IT Managed who the Company has a separate agreement with but includes

Firewalls must be implemented at each internet connection and any demilitarized zone and the

internal company network.

A network diagram detailing all the inbound and outbound connections must be maintained and reviewed every 6 months.

13

A firewall and router configuration document must be maintained which includes a documented list of services, protocols and ports including a business justification.

Firewall and router configurations must restrict connections between untrusted networks and any systems in the card holder data environment.

Solutions Card network to mitigate known and on-going threats. Firewalls must also be implemented to protect local network segments and the IT resources that attach to those segments such as the business network, and open network.

All inbound and outbound traffic must be restricted to that which is required for the card holder data environment.

All inbound network traffic is blocked by default, unless explicitly allowed and the restrictions

have to be documented.

All outbound traffic has to be authorized by management (i.e. what are the whitelisted category of sites that can be visited by the employees) and the restrictions have to be documented

We will have firewalls between any wireless networks and the cardholder

data environment.

We will quarantine wireless users into a DMZ, where they will be authenticated and firewalled as if they were coming in from the Internet.

Disclosure of private IP addresses to external entities must be authorized.

A topology of the firewall environment has to be documented and has to be updated in accordance to the changes in the network.

The firewall rules will be reviewed on a six months basis to ensure validity and the firewall has to

have clean up rule at the bottom of the rule base.

No direct connections from Internet to cardholder data environment will be permitted. All traffic has to traverse through a firewall.

System and Password Policy

All users, including contractors and vendors with access to CARSPUNK/UNIQUE SCENTS/JAMMY FINGERS/LEYLAND CAR CARE/NW VALETING SERVICES LTD, are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

All vendor default accounts and passwords for the systems have to be changed at the time of provisioning the system/device into CARSPUNK/UNIQUE SCENTS/JAMMY FINGERS/LEYLAND CAR CARE/NW VALETING SERVICES LTD network and all unnecessary services and user/system accounts have to be disabled.

All unnecessary default accounts must be removed or disabled before installing a system on the network.

Security parameter settings must me set appropriately on System components

All users must use a password to access our network or any other electronic resources

A minimum password history of four must be implemented.

25. Anti-virus policy

All machines must be configured to run the latest anti-virus software as approved by CARSPUNK/UNIQUE SCENTS/JAMMY FINGERS/LEYLAND CAR CARE/NW VALETING SERVICES LTD, which must be configured to retrieve the latest updates to the antiviral program automatically on a daily basis. The antivirus should have periodic scanning enabled for all the systems.

The antivirus software in use should be cable of detecting all known types of malicious software (Viruses, Trojans, adware, spyware, worms and rootkits)

All removable media (for example floppy and others) should be scanned for viruses before being used.

All the logs generated from the antivirus solutions have to be retained as per legal/regulatory/contractual requirements or at a minimum of PCI DSS requirement 10.7 of 3 months

14

online and 1 year offline.

Master Installations of the Antivirus software should be setup for automatic updates and periodic scans

End users must not be able to modify and any settings or alter the antivirus software

E-mail with attachments coming from suspicious or unknown sources should not be opened. All such e-mails and their attachments should be deleted from the mail system as well as from the trash bin. No one should forward any e-mail, which they suspect may contain virus.

Incident Response Plan

'Security incident' means any incident (accidental, intentional or deliberate) relating to your communications or information processing systems. The attacker could be a malicious stranger, a competitor, or a disgruntled employee, and their intention might be to steal information or money, or just to damage your company.

The Incident response plan has to be tested once annually. Copies of this incident response plan is to be made available to all relevant staff members, and take steps to ensure that they understand it and what is expected of them.

Employees of CARSPUNK/UNIQUE SCENTS/JAMMY FINGERS/LEYLAND CAR CARE/NW VALETING SERVICES LTD will be expected to report to the security officer for any security related issues.

Each department must report an incident to the Information Security Officer.

The Information Security Officer will investigate the incident and assist the potentially compromised department in limiting the exposure of cardholder data and in mitigating the risks associated with the incident.

The Information Security Officer will resolve the problem to the satisfaction of all parties involved, including reporting the incident and findings to the appropriate parties (credit card associations, credit card processors, etc.) as necessary.

The Information Security Officer will determine if policies and processes need to be updated to avoid a similar incident in the future, and whether additional safeguards are required in the environment where the incident occurred, or for the institution.

If an unauthorised wireless access point or devices is identified or detected as part of the quarterly test this is should be immediately escalated to the Security officer or someone with similar privileges who has the authority to stop, cease, shut down, and remove the offending device immediately.

A department that reasonably believes it may have an account breach, or a breach of cardholder information or of systems related to the PCI environment in general, must inform CARSPUNK/UNIQUE SCENTS/JAMMY FINGERS/LEYLAND CAR CARE/NW VALETING SERVICES LTD Information Security Officer. After being notified of a compromise, the The Information Security Officer, will implement the PCI Incident Response Plan to assist and augment departments’ response plans.

In response to a systems compromise, the PCI Response Team and designees will:

Ensure compromised system/s is isolated on/from the network.

Gather, review and analyze the logs and related information from various central and local safeguards and security controls

Conduct appropriate forensic analysis of compromised system.

Contact internal and external departments and entities as appropriate.

Make forensic and log analysis available to appropriate law enforcement or card industry security personnel, as required.

Assist law enforcement and card industry security personnel in investigative processes, including in prosecutions.

15

The card companies have individually specific requirements the Response Team must address in reporting suspected or confirmed breaches of cardholder data.

Incident Response notifications to various card schemes

In the event of a suspected security breach, alert the information security officer or your line manager immediately.

The security officer will carry out an initial investigation of the suspected security breach.

Upon confirmation that a security breach has occurred, the security officer will alert management and begin informing all relevant parties that may be affected by the compromise.

27. Access Control Policy

Access Control systems are in place to protect the interests of all users of CARSPUNK/UNIQUE SCENTS/JAMMY FINGERS/LEYLAND CAR CARE/NW VALETING SERVICES LTD computer systems by providing a safe, secure and readily accessible environment in which to work.

We will provide all employees and other users with the information they need to carry out their responsibilities in as effective and efficient manner as possible.

Access to Confidential, Restricted and Protected information will be limited to authorised persons whose job responsibilities require it, as determined by the data owner or their designated representative. Requests for access permission to be granted, changed or revoked must be made in writing.

Users are expected to become familiar with and abide by our policies, standards and guidelines for appropriate and acceptable usage of the networks and systems.

Access for remote users shall be subject to authorization by IT Services and be provided in accordance with the Remote Access Policy and the Information Security Policy. No uncontrolled external access shall be permitted to any network device or networked system.

Wireless Policy

Installation or use of any wireless device or wireless network intended to be used to connect to any of our networks or environments is prohibited.

Appendix A – Agreement to Comply Form – Agreement to Comply With Information Security Policies

________________________

Employee Name (printed)

________________

Department

I agree to take all reasonable precautions to assure that company internal information, or information that has been entrusted to CARSPUNK/UNIQUE SCENTS/JAMMY FINGERS/LEYLAND CAR CARE/NW VALETING SERVICES LTD by third parties such as customers, will not be disclosed to unauthorised persons. At the end of my employment or contract with CARSPUNK/UNIQUE SCENTS/JAMMY FINGERS/LEYLAND CAR CARE/NW VALETING SERVICES LTD, I agree to return all information to which I have had access as a result of my position. I understand that I am not authorised to use sensitive information for my own purposes, nor am I at liberty to provide this information to third parties without the express written consent of the internal manager who is the designated information owner.

I have access to a copy of the Information Security Policies, I have read and understand these policies, and I understand how it impacts my job. As a condition of continued employment, I agree to abide by the policies and other requirements found in our security policy. I understand that non-compliance will be cause for disciplinary action up to and including dismissal, and perhaps criminal and/or civil penalties.

I also agree to promptly report all violations or suspected violations of information security policies to the designated security officer.